Computer architectures and safety integrity

level apportionment
H. Jansen & H. Schäbe
TÜV InterTraffic GmbH, Köln, Germany

Abstract

Currently, technical systems are becoming more and more complex. A main
contribution comes from electronic control systems that allow for a larger
number of functions. The concept of Safety Integrity Levels (SILS) has been
developed within different systems of standards (IEC 61508, EN 50129 /
EN 50128 and DEF-STAN 00-56). These standards are applied in different
areas: control technology (IEC 61508), railway technology (EN 50129 and EN
50128) and defence technology (DEF-STAN 00-56). SILs are a tool for
assigning safety targets to systems. The concept of a safety SIL within different
standards is explained.
The problem of assigning SILS to functional units within a system is
discussed, especially how a SIL is realised by a certain safety architecture of a
system. Some standards give rules for system architecture and how to achieve a
higher SIL for a system designed from constituents that have a lower SIL.
Examples for system architectures and SIL assignment are given.
For all systems, a choice of SILs for hardware and software is discussed and
the problems arising are described.
Keywords: Safety Integrity Level (SIL), SIL apportionment, EN 50129, fault tree
analysis, computer architectures, railway technology, DEF-STAN-00-56, IEC
61508.

1 Introduction

Currently, technical systems become more and more complex. This is even true
for technical systems of small size since they incorporate different technologies.
A main contribution is coming from electronic control systems that allow for a

Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
294 Computers in Railways IX

larger number of functions. On the other hand, a larger number of functions

complicate the demonstration that a safety relevant system meets the relevant
safety requirements.
The concept of Safety Integrity Levels (SILs) has been developed within
different systems of standards (IEC 61508, EN 50129 / EN 50128 and DEF-
STAN 00-56). These standards are applied in different areas: control technology
(IEC 61508), railway technology (EN 50129 and EN 50128) and defence
technology (DEF-STAN 00-56). SILs are a tool for assigning safety targets to
systems.
Sometimes, safety relevant systems are constructed from components that
have already been proven to fulfil the requirements according to a certain SIL.
Then, these results could be used when a system is built up from those
components or sub-systems. It is important to have rules for these cases, how
SILs of sub-systems have to be combined to arrive at the SIL of the system.
Especially it is interesting, how components or sub-systems of a lower SIL could
be combined to give a system with a higher SIL. Such a procedure is also called
“SIL-Apportionment”.
In this paper, the question of SIL apportionment will be considered.
Section 2 is dedicated to the definition of the Safety Integrity Level. In the
third section a critical review of existing approaches to SIL apportionment is
given. The fourth section discusses some simple examples of system
architectures. In the last section, conclusions are presented.

2 Safety integrity levels

The safety integrity level has been introduced in several standards (IEC 61508,
DEF-STAN-0056, EN 50126, EN 50128, EN 50129). In all of these standards,
four safety integrity levels are defined. A safety integrity level is a discrete level
for defining requirements for safety integrity.
The Safety Integrity Level (SIL) consists of two main aspects:
a) A target failure rate which is a maximal rate of dangerous failures of the
systems that must not be exceeded.
In IEC 61508, besides the rates of dangerous failures, probabilities of failures
on demand are defined for systems that are operated in demand mode.
The target failure rate is intended to characterise the random failures of the
system.
b) A set of measures that is dedicated to cope with systematic failures.
These measures shall ensure that systematic failures can be neglected,
compared to random failures.
For software, only systematic failures are considered and no target failure rate
is given.
The safety integrity levels and their target failure rates are defined as follows.

Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
 Computers in Railways IX 295

Table 1: Target failure rates for different SILs.

SIL IEC 61508 / EN 50129 DEF-STAN-00-56

4 10-9 /h ≤ λ <10-8 /h Remote (λ ≈ 10-8/h)
3 10-8 /h ≤ λ <10-7 /h Occasional (λ ≈ 10-6/h)
2 10-7 /h ≤ λ <10-6 /h Probable (λ ≈ 10-4/h)
1 10-6 /h ≤ λ <10-5 /h Frequent (λ ≈ 10-2/h)

Remarks:
The standards EN 50126 and EN 50128 do not give target failure rates. EN
50126 requires only the existence of Safety Integrity Levels. EN 50128 is
dedicated to software and software SILs without numeric rates.
DEF-STAN-00-56 gives the target rates implicitly by stating verbal
equivalents and presenting numbers for those in another place.
It has to be noted that the Safety Integrity Levels as defined in IEC 61508 and
EN50129 on the one hand side do not coincide with the Safety Integrity Levels
as defined in DEF-STAN 00-56 on the other hand side.
There exist different methods to find a Safety Integrity Level for a particular
technical system. This question will not be discussed in detail, see EN 50129 [4],
Schäbe [7, 8]. In this connection, it is mentioned that EN 50129 requires the SIL
to be defined at the level of a system function.

3 Combining safety integrity levels

3.1 The problem

When a system has to be designed according to a specified safety integrity level,

this can be done using other sub-systems that have been approved to be
according to a specified Safety Integrity Level. Such an approach could ease the
design of safety relevant systems. However, the main question to be solved is the
following:
How should safety relevant sub-systems be combined to give a safety relevant
system with a specified SIL?
As an example: Can a SIL4 system be constructed from two SIL2 systems
connected in parallel, since 2x2 =4?
Obviously, the arithmetic presented in the question above is wrong. However,
which approach can be applied?
The problem stated is called SIL apportionment, see Yellow Book [10].

3.2 Existing approaches

The only standard which presents a possibility to combine Safety Integrity

Levels is DEF-STAN 00-56 [1], see also User Viewpoint [9]. Clause 7.4.4
presents table 8 “Apportionment of Safety Integrity Levels”. By combination of
sub-systems with a lower SIL, a system with a higher SIL can be constructed
from sub-systems having a lower SIL. Besides the sub-systems, a combinator is

Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
296 Computers in Railways IX

present that always shall have the SIL of the system. Besides this restriction, the
table presents the following rules:

SIL combination rules (DEF-STAN 00-56)

SIL3 || SIL3 → SIL4
SIL2 || SIL2 → SIL3
SIL1 || SIL1 → SIL2
SILx || SILy → SILmax (x,y)

That means, whenever two sub-systems of a certain SIL are connected in

parallel and they are strictly independent, the resulting system has the next
higher SIL. Also, if two sub-systems with different SILs are connected in
parallel, the resulting system SIL is the highest of both, but cannot be larger than
the best SIL of the sub-systems. The rules are not intended to be applied
iteratively.
The approach described above has been described in the Yellow Book [10].
However, it has been applied to SILs as defined in IEC 61508 [5] / ENV 50129
[4], but not to those in DEF-STAN 00-56 [1]. In both standards, the SILs differ
at least regarding their target failure rates.
Cook [11] gives an alternate approach based on combination of target rates
for IEC 61508 [5] which is based purely on numeric aspects and neglects design
principles.
In the sequel it will be demonstrated that the approach suggested in the
Yellow Book is inconsistent. The computational method used by Cook [11] will
be extended by using the inspection interval and considering design rules.
As a consistency check, the rate of dangerous failures of the resulting system
will be computed with the following assumption:
1) A combinator is not necessary.
2) The inspection interval is t.
3) The system is constructed of two sub-systems that are connected in parallel
and have the same SIL.
4) The system is intended to have a SIL which is one increment higher than those
of the sub-systems.
Then, the rate of dangerous failures of the system would be λ2t, provided the
rate of dangerous failures of one sub-system is λ. This approach is equivalent to
the approach of Cook [11], however, it takes into account the inspection interval
and does not compute one rate by multiplying two other rates.
If now the rules from DEF-STAN 00-56 are applied to the SILs defined in
IEC 61508 [5], and DEF-STAN 00-56 [1] the following result is obtained.
First, an inspection interval of 10000 hours is assumed. The value has been
chosen since an inspection interval of approximately one year is frequently
chosen for different technical system.
Table 2 has to be read as follows. In the first column, the SIL of the system is
given, followed by the target value for this SIL according to IEC 61508 [5].
Then, the failure rate of the system, computed from the rates of the sub-systems
based on the data from IEC 61508 [5] is presented. The following two columns

Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
 Computers in Railways IX 297

present the same data, however, for DEF-STAN 00-56 [1]. The remaining three
columns, located in the second part of the table, give the sub-system SIL and the
target rates for the sub-system according to both standards.

Table 2: SILs for an inspection interval of 10000 hours.

System
SIL Target rate Computed rate Target rate (DEF- Computed rate
(IEC 61508) (IEC 61508) (DEF-STAN 00-56)
STAN 00-56)
4 10-8/h 10-10/h 10-8/h 10-8/h
3 10-7/h 10-8/h 10-6/h 10-4/h
2 10-6/h 10-6/h 10-4/h 1/h

Sub-system
SIL Target rate (IEC 61508) Target rate (DEF-STAN 00-56)
3 10-7/h 10-6/h
2 10-6/h 10-4/h
1 10-5/h 10-2/h

Table 3: SILs and required maintenance time.

System
SIL Target rate Necessary Target rate (DEF- Necessary Inspection
inspection STAN 00-56) interval (DEF-STAN
(IEC 61508)
interval (IEC 00-56)
61508
4 10-8/h 1000000 10-8/h 1000
3 10-7/h 100000 10-6/h 100
2 10-6/h 10000 10-4/h 1

Sub-system
SIL Target rate (IEC 61508) Target rate (DEF-STAN 00-56)
3 10-7/h 10-6/h
2 10-6/h 10-4/h
1 10-5/h 10-2/h

From the table, it becomes clear that the SIL apportionment might lead to
inconsistencies. For the assumed inspection interval, within IEC 61508 [5] the
system reaches its target and is even better for SIL3 and SIL 4 (system). On the
contrary, for DEF-STAN 00-56 [1], a system constructed from sub-systems with
a lower SIL does not reach the target for SIL2 and SIL3 (system). This
consideration is purely numerical and does not even take into account additional
complications that arise when measures against systematic failures are

Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
298 Computers in Railways IX

considered. The key to the problem lies within the inspection interval. Table 3
gives the inspection interval necessary to meet the numeric requirements.
The structure of table 3 is almost the same as that of table 2. The third and
fifth columns present the necessary inspection intervals to meet the target failure
rate for the SIL of the system.
It can be seen that there are large differences for various SILs. Also, there are
differences between the values obtained for IEC 61508 [5] and DEF-STAN 00-
56 [1].
In any case, the failure rates (or target rates) of the sub-systems have to be
used to derive the system’s failure rate with the help of a small fault tree to
verify that the system fulfils at least the target failure rate requirements. For this
computation, the inspection interval has to be taken into account.
Besides the target rates, design requirements have to be considered when
sub-systems of a lower SIL are combined with the intention to construct a system
with a higher SIL.
DEF-STAN 00-56 [1] requires in clauses 7.3.3 that “Design rules and
techniques appropriate to each safety integrity level shall be determined prior to
implementation...”. Other, specific information is not present on design rules.
This is a weakness when considering the SIL combination rule of DEF-STAN
00-56 [1].
Much more specific information is given in IEC 61508 [5] (part 2, annex A3,
annex B) and EN 50129 [4] (Annex E). Here, different design methods are
required for the different SILs. The most extensive set of methods is required for
SIL4. Surely, this entire set of methods cannot be transferred easily and for all
possible systems into a simple rule for combination of sub-systems of a lower
SIL to form a system with a higher SIL.
However, two important points shall be mentioned.
1) Clause B.3.1 of EN 50129 [4] requires the absence of single fault for SIL3 and
SIL4. Obviously, this will be fulfilled with a parallel structure of two sub-
systems.
2) It can be seen from the tables for design requirements in IEC 61508 [5],
EN50129 [4] and EN 50128 [3] that the requirements for SIL1 and SIL2 are
similar with those for SIL2 being stricter. The same holds for SIL3 and SIL4.
The substantial difference occurs between SIL2 and SIL3 and between SIL1 and
not safety relevant systems.
Consequently, each case of SIL apportionment has to be studied specifically
regarding design rules. The formal application of the SIL combination rule from
DEF-STAN 00-56 [1] cannot be recommended in the area of application of EN
50126 [2] and IEC 61508 [5]. In addition, target failure rates have to be
considered, together with the inspection intervals.

4 Examples
In this section, several examples of simple systems will be considered. It is
assumed for all examples that the inspection intervals are chosen adequately. For

Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
 Computers in Railways IX 299

the systems described below, it is assumed that IEC 61508 [5] or EN 50129 [4]
is applied.

4.1 Two electronic sub-systems connected in parallel

Two sub-systems are connected in parallel. Assume that each sub-system checks
the other sub-system and is able to bring the entire system into a safe state so that
a combinator is not necessary.

Sub-system 1

Sub-system 2

If both sub-systems were electric or electronic systems without software

having SIL3, they could be combined to a SIL 4 system. This is possible since
the design rules are not very different for SIL3 and SIL4. However, the sub-
systems should be independent.
If the system is required to have SIL2, it could be combined from two SIL1
sub-systems using the same argumentation as the construction of a SIL4 system.
If both sub-systems have a SIL2 and the system is required to have SIL3,
deeper investigation regarding the system is needed since several design rules are
required for SIL3 (system) that might not have been applied for a SIL2 system.
Here, the safety cases of the sub-system would have to be studied and possible
additional measures would have to be defined.

4.2 System with software

In case the sub-systems are operated by software, the picture given above would
change. Usually, the same software is used in both sub-systems. This is shown
by the following picture.

Sub-system 1

Software

Sub-system 2

If the entire system shall have SIL4, the software shall also be SIL4. This is in
accordance with the requirements of the standards (e.g. EN50128 [3]), requiring
that the software SIL must be at least as qualified as the system SIL. Moreover,
the software is not redundant in the system. Analogously, a SIL2 system can be
constructed from two parallel SIL1 systems with SIL2 software.

Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
300 Computers in Railways IX

If the system is required to have SIL3, the software must also have SIL3. If
the hardware is SIL2, additional considerations have to be made as for the
system described in 4.1.
4.3 System with diverse software
If there is different software in both sub-systems, the block diagram looks as
follows.

Sub-system 1 Software 1
(Hardware)

Sub-system 2 Software 2
(Hardware)

In this case, there is different software in both sub-systems. Therefore, the

same considerations as in 4.1 apply regarding the SIL apportionment. That
means, a SIL4 system can be constructed from two SIL3 sub-systems, each
equipped with SIL3 software. Analogously, a SIL2 system can be constructed
from two SIL1 sub-systems. Again, for constructing a SIL3 system from two
SIL2 sub-systems, additional considerations must take place.
4.4 System with redundant software
The following example presents a system with one hardware channel but
redundant software. The software redundancy can come from two different
software packages or from redundant programming techniques.

Software 1
Hardware

Software 2

If such a system is required to have a SIL4, the hardware must have a SIL4
and both software versions must be at least according to SIL3. In addition, it
must be proven, that each failure of the hardware is detected by the software and
that there are means to bring the system into a safe state. The same can be done if
the system shall have SIL2. Then the hardware has to have SIL2 and two
independent software versions with a SIL1 each. For a SIL3 system, however, a
detailed study is necessary if the hardware is SIL3 and the software versions are
SIL2.
It needs to be noted that the question of independence of two software
versions running in the same hardware is not trivial. This problem will not be
discussed here.

Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
 Computers in Railways IX 301

4.5 System with hardware bypass

As the last example, a system is discussed that consists of an electronic system
with software and a hardware system acting in parallel.

Hardware 1 Software 1

Hardware bypass

Obviously, if the “hardware bypass” has the same SIL as required for the
system, hardware 1 and software 1 do not need to have any SIL.
Also, the same logic as in 4.1 can be applied, i.e. constructing a SIL 4 system
of SIL3 sub-systems (Hardware 1 and software 1 on the one side and hardware
bypass on the other side). In any case, the “software 1” must have the same SIL
as the “hardware 1”.

4.6 Discussions of other combinations

Another question is still left open: Are other combinations possible? A good
example would be a SIL1 system built from SIL0 systems. Usually, commercial-
off-the-shelf systems do not have a SIL. The examples described above are not
complete. There are still other possibilities to build safety relevant systems.
However, it is complicated to give a general rule. In each case, the particular
application has to be studied and a safety case for the system has to be
elaborated. A good indication whether the chosen architecture would meet a SIL
requirement is when the target failure rate of the system SIL is not exceeded by
the rate of the system, computed from the rates of its sub-systems.

5 Conclusions
A general rule for SIL apportionment as given in DEF-STAN 00-56 [1] cannot
be provided. In any case, target failure rates and /or inspection intervals have to
be taken into account. If this is not obeyed, SIL apportionment becomes
inconsistent. Several variants for architectures of simple systems have been
considered.
General rules can only be given for sub-systems connected in parallel and for
some SILs. Other system architectures, and these are most of them, have to be
studied in detail.
A good indication whether the chosen architecture would meet a SIL
requirement is when the target failure rate of the system SIL is not exceeded by
the rate of the system, computed from the rates of its sub-systems.

Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9
302 Computers in Railways IX

References
[1] DEF STAN 00-56, Safety Management Requirements for Defence
Systems, parts 1 and 2, Dec. 1996.
[2] EN 50126, Railway Applications The Specification and Demonstration of
Dependability, Reliability, Availability, Maintainability and Safety
(RAMS) Issue: March 2000.
[3] EN 50128, Railway applications – Communications, signalling and
processing systems – Software for railway control and protection systems
Issue: March 2001.
[4] EN 50129, Railway applications – Communication, signalling and
processing systems – Safety related electronic systems for signalling
Issue: February 2003.
[5] IEC 61508, parts 1-6, Functional safety of electrical/electronic/
programmable electronic safety-related systems
[6] Joint Airworthiness Authorities, Joint Airworthiness Requirements JAR-
25 Large Aeroplanes.
[7] Schäbe, H 2001a, Different Approaches for Determination of Tolerable
Hazard Rates, ESREL 2001, Torino, Conference Proceedings, vol. 1, p.
435-442.
[8] Schäbe, H, 2001b, Different Principles Used for Determination of
Tolerable Hazard Rates, 9 p., Materials of the World Congress on Railway
Research, Cologne, 25-29. 11.2001, 12-03.
[9] User Viewpoint of 00-56, http://www-scm.tees.ac.uk
/hazop/standards/56/viewp/riskest5.htm.
[10] Yellow Book, http://www.yellow_book_rail.org.uk/
site/the_yellow_book/volume_2/chapter_09.pdf.
[11] Cook, R., 2002, System Architectural Implications Following SIL
Assignment – A Railway Signalling Example, IEE Seminar “SILs – Does
Reality Meet Theory”, 9 April 2002, http://www.iee.org/ on-
comms/pn/functionalsafety/libtary.cfm.

Computers in Railways IX, J. Allan, C. A. Brebbia, R. J. Hill, G. Sciutto & S. Sone (Editors)
© 2004 WIT Press, www.witpress.com, ISBN 1-85312-715-9